|
| 1 | +# Auth0 User Creation Setup |
| 2 | + |
| 3 | +## Overview |
| 4 | +The API now integrates with Auth0 Management API to create users programmatically when admins add new users through the admin panel. |
| 5 | + |
| 6 | +## Required Environment Variables |
| 7 | + |
| 8 | +Add the following environment variables to your `.env` file: |
| 9 | + |
| 10 | +```env |
| 11 | +# Existing Auth0 Configuration (for JWT verification) |
| 12 | +AUTH0_DOMAIN=your-tenant.auth0.com |
| 13 | +AUTH0_AUDIENCE=https://your-api-identifier |
| 14 | +
|
| 15 | +# Auth0 Management API Configuration (for user creation) |
| 16 | +AUTH0_MANAGEMENT_CLIENT_ID=your_management_api_client_id |
| 17 | +AUTH0_MANAGEMENT_CLIENT_SECRET=your_management_api_client_secret |
| 18 | +AUTH0_MANAGEMENT_AUDIENCE=https://your-tenant.auth0.com/api/v2/ |
| 19 | +AUTH0_USER_DB_CONNECTION=Username-Password-Authentication |
| 20 | +``` |
| 21 | + |
| 22 | +## Setting Up Auth0 Management API |
| 23 | + |
| 24 | +### 1. Create a Machine-to-Machine Application |
| 25 | + |
| 26 | +1. Go to your Auth0 Dashboard |
| 27 | +2. Navigate to **Applications** → **Applications** |
| 28 | +3. Click **Create Application** |
| 29 | +4. Name it "Street Support Management API" (or similar) |
| 30 | +5. Select **Machine to Machine Applications** |
| 31 | +6. Click **Create** |
| 32 | + |
| 33 | +### 2. Authorize the Application |
| 34 | + |
| 35 | +1. Select **Auth0 Management API** as the API |
| 36 | +2. Grant the following permissions (scopes): |
| 37 | + - `create:users` - Create users |
| 38 | + - `update:users` - Update user metadata |
| 39 | + - `delete:users` - Delete users (for cleanup on errors) |
| 40 | + - `read:users` - Read user information |
| 41 | +3. Click **Authorize** |
| 42 | + |
| 43 | +### 3. Get Credentials |
| 44 | + |
| 45 | +1. Go to the **Settings** tab of your Machine-to-Machine application |
| 46 | +2. Copy the **Client ID** → Use as `AUTH0_MANAGEMENT_CLIENT_ID` |
| 47 | +3. Copy the **Client Secret** → Use as `AUTH0_MANAGEMENT_CLIENT_SECRET` |
| 48 | + |
| 49 | +### 4. Configure Database Connection |
| 50 | + |
| 51 | +1. Go to **Authentication** → **Database** |
| 52 | +2. Note the name of your database connection (usually "Username-Password-Authentication") |
| 53 | +3. Use this as `AUTH0_USER_DB_CONNECTION` |
| 54 | + |
| 55 | +### 5. Set Management API Audience |
| 56 | + |
| 57 | +The audience is typically: `https://YOUR_DOMAIN/api/v2/` |
| 58 | + |
| 59 | +For example: `https://your-tenant.auth0.com/api/v2/` |
| 60 | + |
| 61 | +## How It Works |
| 62 | + |
| 63 | +### User Creation Flow |
| 64 | + |
| 65 | +1. **Admin creates user** in the admin panel |
| 66 | +2. **API validates** user data with Zod schema |
| 67 | +3. **Auth0 user created** first via Management API with: |
| 68 | + - `email`: User's email |
| 69 | + - `name`: User's email (used as display name) |
| 70 | + - `password`: Auto-generated secure password |
| 71 | + - `app_metadata.authorization.roles`: User's AuthClaims array |
| 72 | + - `email_verified`: false (requires email verification) |
| 73 | + - `verify_email`: true (sends verification email) |
| 74 | + - Auth0 auto-generates unique `user_id` (e.g., `auth0|507f1f77bcf86cd799439011`) |
| 75 | +4. **MongoDB user created** with Auth0's generated `user_id` stored in `Auth0Id` field |
| 76 | + |
| 77 | +### Error Handling |
| 78 | + |
| 79 | +- If **Auth0 creation fails**: Error returned immediately, no MongoDB user created |
| 80 | +- If **MongoDB creation fails**: Auth0 user is deleted (rollback for consistency) |
| 81 | +- Detailed error messages returned to admin panel |
| 82 | + |
| 83 | +### Password Management |
| 84 | + |
| 85 | +- **Auto-generated** secure 30-character password |
| 86 | +- Contains uppercase, lowercase, numbers, and special characters |
| 87 | +- Meets Auth0 password policy requirements |
| 88 | +- Users will use **password reset** flow for first login |
| 89 | + |
| 90 | +## API Functions |
| 91 | + |
| 92 | +### `createAuth0User(email, authClaims)` |
| 93 | +Creates a new user in Auth0 with auto-generated user ID |
| 94 | + |
| 95 | +**Parameters:** |
| 96 | +- `email`: User's email address |
| 97 | +- `authClaims`: Array of role strings (e.g., `['SuperAdmin']`, `['CityAdmin', 'CityAdminFor:manchester']`) |
| 98 | + |
| 99 | +**Returns:** Auth0 user object with auto-generated `user_id` (e.g., `auth0|507f1f77bcf86cd799439011`) |
| 100 | + |
| 101 | +### `deleteAuth0User(auth0UserId)` |
| 102 | +Deletes a user from Auth0 |
| 103 | + |
| 104 | +**Parameters:** |
| 105 | +- `auth0UserId`: Auth0 user ID (e.g., `"auth0|123456"`) |
| 106 | + |
| 107 | +### `updateAuth0UserRoles(auth0UserId, authClaims)` |
| 108 | +Updates user roles in Auth0 app_metadata |
| 109 | + |
| 110 | +**Parameters:** |
| 111 | +- `auth0UserId`: Auth0 user ID |
| 112 | +- `authClaims`: Updated array of role strings |
| 113 | + |
| 114 | +## Testing |
| 115 | + |
| 116 | +### Test User Creation |
| 117 | + |
| 118 | +```bash |
| 119 | +curl -X POST http://localhost:5000/api/users \ |
| 120 | + -H "Content-Type: application/json" \ |
| 121 | + -H "Authorization: Bearer YOUR_JWT_TOKEN" \ |
| 122 | + -d '{ |
| 123 | + |
| 124 | + "UserName": "testuser", |
| 125 | + "AuthClaims": ["CityAdmin", "CityAdminFor:manchester"] |
| 126 | + }' |
| 127 | +``` |
| 128 | + |
| 129 | +### Verify in Auth0 Dashboard |
| 130 | + |
| 131 | +1. Go to **User Management** → **Users** |
| 132 | +2. Find the newly created user |
| 133 | +3. Check **app_metadata** contains authorization roles |
| 134 | +4. Copy the **user_id** and verify it matches the `Auth0Id` field in MongoDB |
| 135 | + |
| 136 | +## Troubleshooting |
| 137 | + |
| 138 | +### "Failed to get Auth0 management token" |
| 139 | +- Verify `AUTH0_MANAGEMENT_CLIENT_ID` and `AUTH0_MANAGEMENT_CLIENT_SECRET` are correct |
| 140 | +- Check that Machine-to-Machine application is authorized for Management API |
| 141 | + |
| 142 | +### "Failed to create Auth0 user" |
| 143 | +- Verify `AUTH0_DOMAIN` is correct (without `https://`) |
| 144 | +- Check `AUTH0_USER_DB_CONNECTION` matches your database connection name |
| 145 | +- Ensure Management API has `create:users` permission |
| 146 | +- Check Auth0 Dashboard → Logs for detailed error messages |
| 147 | + |
| 148 | +### "User created in Auth0 but not in MongoDB" |
| 149 | +- Check server logs for MongoDB error details |
| 150 | +- Auth0 user should be automatically deleted on MongoDB failure |
| 151 | +- If Auth0 user remains without MongoDB record, it will be cleaned up on retry |
| 152 | + |
| 153 | +## Security Considerations |
| 154 | + |
| 155 | +- **Management API credentials** are highly sensitive - store securely |
| 156 | +- **Never expose** `AUTH0_MANAGEMENT_CLIENT_SECRET` in client-side code |
| 157 | +- **Auto-generated passwords** are not accessible after creation |
| 158 | +- Users must use **password reset flow** for first login |
| 159 | +- **Role-based access control** enforced via RBAC middleware |
| 160 | + |
| 161 | +## Next Steps |
| 162 | + |
| 163 | +1. Set up password reset email templates in Auth0 |
| 164 | +2. Configure Auth0 Actions/Rules if needed |
| 165 | +3. Set up user invitation email flow (optional) |
| 166 | +4. Configure multi-factor authentication (recommended) |
0 commit comments